InfoSec Handlers Diary Blog

Following my yesterday diary[1], I had a deeper look at the malicious AutoIT script dropped in my sandbox. For those who are not aware of AutoIT, it is a BASIC-like scripting language designed for automating Windows tasks. If scripts can be very simple, they can also interact with any feature of the operating system.

The analyzed script has the following SHA256 hash: d5a8cdc7ae6a49233ee021a39f12ef61c630202f68edc3a7d64fd1b616704d8d and is still unknown on VT when writing this diary. The script uses different obfuscation techniques like:

It has many similarities with another script that I analyzed a few months ago[2]. There is plenty of code present in the script (hex-encoded) that is injected into other processes but I don't know yet the purpose of this code.